I'm looking into setting up a "secure" FTP server, and feel like OpenBSD would be a good choice.

I've configured the core OpenBSD ftpd server and have set up a very workable process to manage file privileges and restrictions using login classes. However, I have not been able to find any information on how/if this can be set up using FTP over TLS, as some clients have legal requirements for over-the-wire encryption for certain data.

Obviously I could look at vsftpd, PureFTPD or use SFTP using OpenSSH, but I would frankly rather use the core as much as possible to minimize attack surface.

Hello, and welcome! I don't think this is possible with ftpd(8), though of course I could be wrong. I often am.

I believe that the OpenBSD Prroject would have a difference of opinion over what is considered core. OpenSSH is more than a tool that is included in the base with other applications, OpenSSH is an OpenBSD subproject. There are two versions of OpenSSH, a) the OpenSSH included with OpenBSD, and b) Portable OpenSSH, for use with other operating systems: other BSDs, Unix systems, Linux, etc.

FileZilla Client is a free, open source FTP client. It supports FTP, SFTP, and FTPS (FTP over SSL/TLS). The client is available under many platforms, binaries for Windows, Linux and Mac OS X are provided.

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump